cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Passthrough or VPN Concentrator

Here to help

Passthrough or VPN Concentrator

Hi,

 

When we select the MX to be in Passthrough or VPN Concentrator mode how does the MX know which mode to operate on? What features do we gain or loan in Passthrough or VPN Concentrator mode?

5 REPLIES 5
Building a reputation

Re: Passthrough or VPN Concentrator

@Aamir  

Choose this option if you simply want to deploy the MX device:

  • In bridge mode for traffic shaping and additional network visibility.
  • As a one-armed VPN concentrator.
  • it is also one of the best recommendation for SD WAN deployment

 

Networks and Routing > MX Addressing and VLANs

 

Here to help

Re: Passthrough or VPN Concentrator

HI,

 

In bridge mode do I still get firewall functionality? My understanding is bridge mode is firewall operating in layer 2 mode which means no routing, with one-armed concentrator deployment its still a layer 3 device, so by Passthrough or VPN Concentrator how does the MX know it needs to work on bridge mode with no routing and or VPN concentrator mode?

Building a reputation

Re: Passthrough or VPN Concentrator

@Aamir  Passthrough/Concentrator Mode is best used when there is an existing Layer 3 device upstream handling network routing functions.  The MX in this instance would still act as a security appliance, but with less functionality for Layer 3 networking.

Building a reputation

Re: Passthrough or VPN Concentrator

The recommended use case for the MX security appliance in passthrough mode is when it is acting as a VPN Concentrator for the Cisco Meraki Auto VPN feature.  Passthrough/VPN Concentrator mode ensures easy integration into an existing network that may already have layer 3 functionality and edge security in place.  With this mode, a Cisco Meraki MX security appliance can be integrated into the existing topology and allow for seamless site to site communication with minimal configuration needed.

Comes here often

Re: Passthrough or VPN Concentrator

@merakichampThank you for that info.

I have a follow up question though. In MX's documentation it is written :

"When using an MX as a site-to-site VPN peer, it will only be able to send client traffic over the VPN tunnel if that traffic has been directed to it. As such, a router or L3 switch on the network will need to have static routes configured, such that VPN-bound traffic is sent to the MX. This traffic will then be encrypted and sent through the site-to-site VPN tunnel. Traffic bound to the Internet or other destinations will simply pass through the appliance:"

 

Let's say that I have that kind of topology

Internet -Edge FW - DMZ - MX L2/VPN concentrator - Router - LAN

 

if I have a layer 3 functionality to ensure routing, if I set the MX in passthrough mode, is it possible for it to deal with S2S VPN, Client VPN AND to still pass all internet traffic (incoming and outgoing) through the MX using filtrering, IPS and AMP functionalities ?

if it's not clear, i can ce more specific.

thanks for your help.

FrederiqueC

 

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.